LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 11-28-2004, 09:05 AM   #1
SADANA
LQ Newbie
 
Registered: Nov 2001
Location: Amman - Jordan
Distribution: Slackware
Posts: 25

Rep: Reputation: 15
SELinux + Apache + MySQL + PHP


Hi all,
I'm playing around with Fedora3, trying to make apache + php + mysql play well together, but it seems SELinux is getting in the way. I keep getting: "#2002 - Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)" when using phpMyAdmin.
My understanding of the situation is that apache is running under a diffenet security domain than mysql, specifically apache is running "user_u:system_r:httpd_t" context, while the myqsl socket has the "user_ubject_r:var_lib_t" security context.
I know SELinux can be disabled, which I did by booting with the option "enforcing=0" and the whole thing worked great. Googling around gave the following url: http://www.codecomments.com/PHP_SQL/message323526.html , which also suggests turning off SELinux, which defeats the whole Security Enhanced thing!
The article about SELinux on Red Hat Magazine, http://www.redhat.com/magazine/001no...tures/selinux/ , talks about "transition" between security domains, but doesn't specify how to actually implement it...

Any ideas?
Thanks in advance :-)
 
Old 12-17-2004, 01:17 PM   #2
philio
LQ Newbie
 
Registered: Jul 2004
Location: England
Distribution: Fedora
Posts: 24

Rep: Reputation: 15
I've had the exact same problem, unfotunately I don't really have the time to spend messing around with it too much though.

I use my machine for software development and apache/mysql are crucial to my work, I've just turned SELinux off as its more trouble than its worth!
  • Firstly every time I put something on the webserver you've gotta chcon it - pain in the ass!
  • Sencondly I got the same error with phpMyAdmin 2002 cannot connect to socket

SELinux is a good idea but if it stops you working then that defeats the object of it entirely. I'm going to see if I can figure out a way to make it all run smoothly when I get some spare time and if I find anything I will post again.
 
Old 12-21-2004, 07:39 PM   #3
theteenager
LQ Newbie
 
Registered: Jul 2003
Distribution: Fedora
Posts: 8

Rep: Reputation: 0
Disable the SELinux protection on the HTTPD will fix this problem. To do so:
- Go to the Security Level, under System Settings
- Click on the SELinux tab
- Drop down the HTTPD Service entry
- Check the box that says "Disable SELinux protection for httpd daemon"

This should work.

Have fun!!

Last edited by theteenager; 02-26-2006 at 11:16 PM.
 
Old 01-15-2005, 09:08 AM   #4
Butt-Ugly
Member
 
Registered: Nov 2004
Location: Brisbane, Australia
Distribution: Fedora Core 5
Posts: 89

Rep: Reputation: 15
You probably only need to restore all of the mysql file security contexts...
Code:
service mysqld stop
restorecon -v -R /usr/libexec/mysqld
restorecon -v -R /var/run/mysqld
restorecon -v /var/log/mysqld.log
restorecon -v -R /var/lib/mysql
restorecon -v /var/lib/mysql/mysql.sock
restorecon -v -R /etc/my.cnf
service mysqld start
That should do it..

Miles.
 
Old 02-01-2005, 10:23 AM   #5
sawoy
LQ Newbie
 
Registered: Mar 2004
Location: Russia
Posts: 13

Rep: Reputation: 0
But what i must do if i don't want to disable SELinux for httpd ?

Can anybody say what i must do for turning on apache + mysql + selinux ?

for info: i have FC3 without

in messages (after start mysqld + restorecon):

<bla-bla> kernel: audit(1106899796.621:0): avc: denied { write } for pid=2358 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=292796 scontext=root:system_r:httpd_t tcontext=system_ubject_r:var_lib_t tclass=sock_file


2 Butt-Ugly:
1. after start mysql creates mysql.sock again with incorrect context
2. even i run restorecon again after mysqld's start it doesn't help
 
Old 02-04-2005, 01:41 PM   #6
KimMcCall
LQ Newbie
 
Registered: Jun 2004
Location: Menlo Park, CA
Distribution: Fedora Core 3
Posts: 9

Rep: Reputation: 0
The *REAL* fix for this problem

This problem was hashed out in a fairly readable way in the RedHat fedora-selinux-list forum. The initial post is now at

https://www.redhat.com/archives/fedo.../msg00013.html

You'll want to read most of the followups.

The preferred solution involves creating an selinux domain, "mysqld_t," that has permission to read and write a particular socket. Manipulating selinux sounds hairy, but the instructions are fairly straightforward. The correct solution is the first one suggested in

https://www.redhat.com/archives/fedo.../msg00015.html

NB: the line that reads:
* service mysql restart
should read:
* service mysqld restart

good luck!

Last edited by KimMcCall; 02-04-2005 at 01:56 PM.
 
Old 03-28-2005, 11:06 PM   #7
LLS
Member
 
Registered: Sep 2003
Location: North America
Distribution: FC6 FC7 F8
Posts: 75

Rep: Reputation: 15
Quote:
Originally posted by sawoy
But what i must do if i don't want to disable SELinux for httpd ?

Can anybody say what i must do for turning on apache + mysql + selinux ?

Work through these two tutorials, I just did and have a working LAMP server running on FDC3 with selinux on and I got everything I needed from them.

http://www.lamphowto.com/lamp.htm
http://www.mikepalmer.net/howto/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
10.2 Apache PHP MySQL stevemad Slackware 11 09-30-2005 08:47 AM
Apache/PHP problems with Selinux enforcing.... maxie_fc3 Fedora 0 01-11-2005 08:40 AM
apache _ php +mysql rmocius@auste.e Slackware 0 03-02-2004 10:49 AM
Apache Mysql Php: mysql with php doesn't work breakerfall Linux - Networking 6 12-27-2003 09:59 PM
php-nuke with apache php mysql c0c0deuz Linux - Software 0 03-30-2003 07:23 AM


All times are GMT -5. The time now is 02:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration